rule Linux_Exploit_Cornelgen_584a227a {
    meta:
        author = "Elastic Security"
        id = "584a227a-bf17-4620-8b10-97676f12ea5b"
        fingerprint = "65a23e20166b99544b2d0b4969240618d50e80a53a69829756721e19e4e6899f"
        creation_date = "2021-04-06"
        last_modified = "2021-09-16"
        threat_name = "Linux.Exploit.Cornelgen"
        reference_sample = "c823cb669f1d6cb9258d6f0b187609c226af23396f9c5be26eb479e5722a9d97"
        severity = 100
        arch_context = "x86"
        scan_context = "file, memory"
        license = "Elastic License v2"
        os = "linux"
    strings:
        $a = { 6E 89 E3 52 53 89 E1 B0 0B CD 80 31 C0 40 CD 80 }
    condition:
        all of them
}

rule Linux_Exploit_Cornelgen_be0bc02d {
    meta:
        author = "Elastic Security"
        id = "be0bc02d-2d9d-4cbe-9d6a-3a88ffa1234b"
        fingerprint = "6b57eb6fd3c8e28cbff5e7cc51246de74ca7111a9cd1c795b21aa89142a693b4"
        creation_date = "2021-04-06"
        last_modified = "2021-09-16"
        threat_name = "Linux.Exploit.Cornelgen"
        reference_sample = "24c0ba8ad4f543f9b0aff0d0b66537137bc78606b47ced9b6d08039bbae78d80"
        severity = 100
        arch_context = "x86"
        scan_context = "file, memory"
        license = "Elastic License v2"
        os = "linux"
    strings:
        $a = { 8B 44 24 08 A3 B8 9F 04 08 0F B7 05 04 A1 04 08 }
    condition:
        all of them
}

rule Linux_Exploit_Cornelgen_03ee53d3 {
    meta:
        author = "Elastic Security"
        id = "03ee53d3-4f03-4c5e-9187-45e0e33584b4"
        fingerprint = "f2a8ecfffb0328c309a3a5db7e62fae56bf168806a1db961a57effdebba7645e"
        creation_date = "2021-04-06"
        last_modified = "2021-09-16"
        threat_name = "Linux.Exploit.Cornelgen"
        reference_sample = "711eafd09d4e5433be142d54db153993ee55b6c53779d8ec7e76ca534b4f81a5"
        severity = 100
        arch_context = "x86"
        scan_context = "file, memory"
        license = "Elastic License v2"
        os = "linux"
    strings:
        $a = { C9 B0 27 CD 80 31 C0 B0 3D CD 80 31 C0 8D 5E 02 }
    condition:
        all of them
}

